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Malicious Supply Chain Risk 



• Threat: 


- Nation-state, terrorist, criminal, or rogue 
developer who gains control of systems or 
information through supply chain 
opportunities; exploits vulnerabilities 
remotely, and/or degrades system behavior 

Vulnerabilities: 

- All systems, networks, and applications 

- Intentionally implanted logic (HW/SW) 

- Unintentional vulnerabilities maliciously 
exploited (e.g., poor quality or fragile code) 

- Controlled unclassified information resident 
on, or transiting supply chain networks 

Consequences: 

- Loss of data; system corruption 


Access points are throughout 
the acquisition lifecycle... 
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...and across numerous supply 
chain entry points 

- Government 

- Prime, subcontractors 

- Vendors, commercial parts 
manufacturers 

- 3 rd party test/certification 
activities 


- Loss of confidence in critical warfighting 
capability; mission impact 


PSAR-15 

2015/03/17 | Page-2 


Distribution Statement A - Approved for public release by OSR, SR Case #s 15-S-0089, 14-S-2175, 15-R-0910 apply. Distribution is unlimited. 












'i r»* 


Many System Security 
Risks to Consider 




Product 

defect/inadequacy 
introduced either 
through mistake or 
negligence during 
design, production, 
and post¬ 
production 
handling resulting 
in the introduction 
of deficiencies, 
vulnerabilities, and 
degraded life-cycle 
performance 



Mission failure in 
the field due to 
environmental 
factors unique to 
military and 
aerospace 
environment 
factors such as 
particle strikes, 
device aging, hot¬ 
spots, electro¬ 
magnetic pulse, 
etc. 



Counterfeit and 
other than genuine 
and new devices 
from the legally 
authorized source 
including 
relabeled, 
recycled, cloned, 
defective, out-of- 
spec, etc. 


The intentional 
insertion of 
malicious hard/soft 
coding, or defect 
to enable physical 
attacks or cause 
mission failure; 
includes logic 
bombs, Trojan ‘kill 
switches’ and 
backdoors for 
unauthorized 
control and access 
to logic and data 



Unauthorized 
extraction of 
sensitive 
intellectual 
property using 
reverse 

engineering, side 
channel scanning, 
runtime security 
analysis, 

embedded system 
security weakness, 
etc. 


Stolen data 
provides potential 
adversaries 
extraordinary 
insight into US 
defense and 
industrial 
capabilities and 
allows them to 
save time and 
expense in 
developing similar 
capabilities. 




Systems Security Engineering is a critical discipline of SE, addressing a 
spectrum of security risks that are magnified by complex system attributes 
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DoDI 5000.02 and PPP Outline & 

Guidance 




Program managers will employ system security engineering 
practices and prepare a PPP to guide their efforts and the 
actions of others to manage the risks to critical program 
information and mission-critical functions and components 
associated with the program 

- The PPP will be submitted for MDA approval at each Milestone review, 
beginning with Milestone A 

Program managers will describe in their PPP: 

- Critical Program Information, mission-critical functions, and critical 
components 

- Threats to and vulnerabilities of these items 

- Plans to apply countermeasures to mitigate associated risks 

- Plans for exportability and potential foreign involvement 

- The Cybersecurity Strategy and Anti-Tamper plan are included as 
appendices 


PPP Outline and Guidance provides a template 
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Safeguarding Unclassified Controlled 
Technical Information 





SECRETARY OF OEFENSE 
lOOO DEFENSE PENTAGON 
WASHINGTON DC 20301 1 OOO 


OCT 1 0 2013 

MEMORANDUM FOR SECRETARIES OF TUF MILITARY DEPARTMENTS 
CHAIRMAN OF THE JOINT CHIEFS OF STAFF 
UNDER SECRETARY OF DEFENSE FOR ACQUISITION. 

TECHNOLOGY AND LOGISTICS 
I'NDER SECRETARY OF DEFENSE FOR POLICY 
l iNDF.R SECRETARY OF DFFENSR FOR INTELLIGENCE 
COMMANDER. U S. STRATEGIC COMMAND 
COMMANDER. U S. CYBER COMMAND 
Dl RFC LOR. COST ASSESSMENT AND PROGRAM EVALUATION 
DEPAR I MFNT OF DEFENSE CHIEF INFORMATION OFFICER 
DIRECTOR. DEFENSE INTELLIGENCE AGENCY 
DIRECTOR. NATIONAL SECURITY AGENCY/CENTRA I 
SECURITY SERVICE 

SUBJECT: Safeguarding Unclassified Controlled Technical Information 

The Department of Defense (DoD) is committed to protecting our unclassified controlled 
technical information against the threat of cyber intrusions that target the Department and our 
industrial hose Stolen data pros ides potential adversaries extraordinary insight into the United 
States’ defense and industnul capabilities and allows them to save time and expense in 
developing similar capabilities. Protection of this data is a high priority for the Department and 
is critical to preserving the intellectual property and competitive capabilities of our national 
industrial base and the technological superiority of our fielded military sy stems. 

In order to ensure our unclassified controlled technical information is protected from 
cyber intrusions and that any consequences associated with loss of this information are 
minimized. I am directing the following actions which will augment our ongoing activities in this 
area: 

Lhc Under Secretary of Defense lor Acquisition, technology, and Logistics 
(USD(ATAL)L in coordination with the Under Secretary of Defense for Policy <1 SD(P)). the 
Under Secretary of Defense for Intelligence (USD(I)). and the DoD Chief Information Officer 
(CIO), shall take immediate action to improve the protection of unclassified controlled technical 
information that resides on or passes through defense contractor systems or networks. This shall 
include necessary policy, guidance, and rulemaking activities, to include expansion of current 
cybcrsccuntv information-sharing activities and programs. USD(AT&L) shall propose an 
amendment to the Defense Federal Acquisition Regulation Supplement for defense contractors to 
safeguard unclassified controlled technical information. 

USD< AT&L), with the support of IJSD(I), l tSD(P), the Defense Intelligence Agcncv. the 
Joint Staff. U.S. Strategic Command (USSTRATCOM). and the Military Departments, shall 

llllllllllllllllli 

OSD071338-13 



Secretary of Defense Memorandum, October 
10 , 2013 

- Recognizes the threat to the competitive 
capabilities of the Defense Industrial Base (DIB) 
and the technological superiority of our fielded 
military systems. 

- Directs a series of actions to: 

o Protect DoD unclassified controlled technical 
information from cyber intrusions 

o Minimize the consequences associated with 
loss of this information 

- Augments and re-emphasizes current activities, 
such as the DIB Cyber Security/ Information 
Assurance (CS/IA) Program 
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DFARS Clause 252.204-7012: Safeguarding 
Unclassified Controlled Technical Information* 


• Published November 18 , 2013 

- Clause affects all new contracts that contain, or will contain unclassified controlled 
technical information 

- Includes flow down to all subcontracts 

• Purpose: Establish minimum requirements for DoD unclassified 
controlled technical information on contractor information systems 

- Requires contractors implement minimum set of information security controls 

o 51 information security controls from NIST SP 800-53, Revision 4 
o Combination of Technical, Process, Awareness, and Training measures 

- Requires contractors report cyber incident and compromises 

- Requires contractor actions to support DoD damage assessment as needed 

• Incident Reporting 

- Reporting includes: 

o DoD contracts and subcontractor information affected by a cyber incident or compromise 
o DoD programs, platforms, or systems involved 
o Description of DoD technical information compromised 

- Reported information does not include signatures or other threat actor indicators 

*http ://www. acq. osd. m i l/dpap/dars/df ars/htm l/cu rrent/204 73. htm 
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PPP Methodology 



Criticality 

Analysis 


CPI Analysis 


Identify capability 
elements providing 
a US technological 
advantage 

Determine system 
critical components 
based on critical 
mission threads 



Assess the risk 
associated with 
each CPI 
(exposure, 
consequence of 
compromise) 

Analyze component 
vulnerability to 
malicious exploit 


Identify potential 

component 

suppliers 

Conduct horizontal 
analysis 

4 4 

Threats and Vulnerabilities 
Assessment 

Identify supply chain 
threats and 
vulnerabilities 


Identify foreign 
collection threats 
and vulnerabilities 



Identify personnel, physical, operational 
threats and vulnerabilities 



Program Protection Plan 


Determine candidate protection measures 
to address vulnerabilities: anti-tamper, 
cybersecurity, hardware/software 
assurance, physical security, operations 
security, supply chain, system security, 
and trusted suppliers 


Determine foreign involvement 
expectations and impacts on protection 
measures 


4 


Conduct engineering risk/cost trade-off 
analysis to select protection measures 


1 


1 


Identify acquisition 
mitigations 
(e.g., blind buy, 
trusted source) 


Determine system 

security 

requirements 


Contractor 

Respond to acquisition and 
security requirements 


Continually assess security 
risks during design reviews 
and system implementation 


Conduct early defense 
exportability features 
planning and design 


t 

Test and Evaluation 


Assess hardware and 
software vulnerabilities 


Evaluate anti-tamper 
protections 


Verify security 
requirements (Contractor, 
Developmental Test, 
Operational Test) 


Program Protection - an Integral Part of Systems Engineering 
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SE, SSE and DT&E are 
Mutually Supportive 
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MSA 


System Requirements, security 
performance and threat 
parameters 


Evaluation Methodology, 
T&E strategy, schedule, & 
resources 


1 


SEP, PPP 


MS-A TEMP 


1 


TMRR 


Preliminary System Design, 
with critical hardware, 
software components, 
vulnerabilities 


DT&E Assessment, 
Evaluation Framework, 
T&E strategy, schedule, & 
resources 


i 


SEP, PPP 


1 


MS-B TEMP 


EMD 


P&D 


Detailed System Design, with 
identified known 
vulnerabilities 

SEP, PPP 


System 


DT&E Assessment 


MS-C TEMP 


System 

Acceptance 
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Our Focus on SSE and SE 


* DoD is putting policy in place for a risk-based cost benefit 
trade-off process to protect systems, their supply chain, and 
their software development 

* DoD is emphasizing the importance of SSE within systems 
engineering and its contribution to the design of systems by: 

- Ensuring that program protection is addressed during the SE technical reviews 

- Incorporating program protection and system security engineering requirements and 
processes into engineering development contracts 

- Working with industry and standards groups revitalize system security engineering 

* Industry is playing an important role in the DoD SSE initiative 
by: 

- Investing in research and processes to protect systems, the supply chain and the 
software development 

- Developing their SE and SSE processes and skills 


DoD efforts are targeting integration of system security engineering 
_considerations throughout the system life cycle_ 
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Questions? 
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